#### DMCA

## Moir: A Framework for Formally Verifying Software Transactional Memory Algorithms

Venue: | In Proceedings of the 23rd International Conference on Concurrency Theory, CONCUR 2012 |

Citations: | 7 - 5 self |

### Citations

997 | Transactional memory: Architectural support for lock-free data structures
- Herlihy, Moss
- 1993
(Show Context)
Citation Context ...mplexity. 1 Introduction As multicore computing becomes ubiquitous, it is increasingly important to support effective concurrent programming for a wide range of programmers. Transactional memory (TM) =-=[9]-=- allows programmers to specify a sequence of operations on shared objects that should be executed as a transaction that appears to be applied without interference from concurrent transactions, and wit... |

652 | PVS: A prototype verification system
- OWRE, SHANKAR, et al.
- 1992
(Show Context)
Citation Context ... allows a proof for one TM algorithm to leverage parts of the hierarchy constructed for other TM algorithms, thus significantly improving productivity. The framework is formalized in the PVS language =-=[14, 16]-=-. Using this framework, we have achieved the first fully formal machine-checked verification of a practical TM algorithm, the NOrec algorithm [3]. As described in [10], we have also recently used the ... |

415 | Hierarchical Correctness Proofs for Distributed Algorithms
- Lynch, Tuttle
- 1987
(Show Context)
Citation Context ...e., the TM specification), modeling TM implementations, and verifying that the implementations provide the specified guarantees. Our framework is based on I/O automata and simulation proof techniques =-=[11, 12]-=-, which support hierarchical proofs by modeling both specifications and implementations as automata and proving simulation relations between these automata. The hierarchical proof approach allows a pr... |

345 | Transactional locking II
- Dice, Shalev
- 2006
(Show Context)
Citation Context ...tisfies TMS2. This is the approach we have taken for our NOrec proof.2.2 The NOrec Algorithm NOrec [3] significantly reduces low-contention overhead as compared to previous TM algorithms such as TL2 =-=[4]-=- by eliminating ownership records, which hold TM metadata that is used when an associated location is accessed. NOrec achieves this by using a sequence lock (seqlock) that is acquired by every transac... |

246 | The serializability of concurrent database updates
- PAPADIMITRIOU
- 1979
(Show Context)
Citation Context ...t is consistent with some execution in which all transactions that commit do so instantaneously [5, 8]. Traditional correctness conditions for transactions in database systems—such as serializability =-=[15]-=-—do not ensure this. In [5], we defined a general condition TMS1 and a more restrictive condition TMS2. TMS1 aims to allow all implementations that provide reasonable behavior for the intended context... |

203 | On the Correctness of Transactional Memory
- Guerraoui, Kapalka
- 2008
(Show Context)
Citation Context ... divide-by-zero in this context, transactions—even those that ultimately abort—must observe behavior that is consistent with some execution in which all transactions that commit do so instantaneously =-=[5, 8]-=-. Traditional correctness conditions for transactions in database systems—such as serializability [15]—do not ensure this. In [5], we defined a general condition TMS1 and a more restrictive condition ... |

83 | NOrec: Streamlining STM by Abolishing Ownership Records
- Dalessandro, Spear, et al.
- 2010
(Show Context)
Citation Context .... The framework is formalized in the PVS language [14, 16]. Using this framework, we have achieved the first fully formal machine-checked verification of a practical TM algorithm, the NOrec algorithm =-=[3]-=-. As described in [10], we have also recently used the framework to clarify relationships between the TMS1, TMS2, and opacity correctness conditions (see Section 2.1). The primarygoal of this paper i... |

50 |
Forward and backward simulations I: Untimed systems
- Lynch, Vaandrager
- 1995
(Show Context)
Citation Context ...e., the TM specification), modeling TM implementations, and verifying that the implementations provide the specified guarantees. Our framework is based on I/O automata and simulation proof techniques =-=[11, 12]-=-, which support hierarchical proofs by modeling both specifications and implementations as automata and proving simulation relations between these automata. The hierarchical proof approach allows a pr... |

28 | Model checking transactional memories
- Guerraoui, Henzinger, et al.
- 2010
(Show Context)
Citation Context ...r instances, especially for more complex algorithms, and is limited to finite instances regardless. Others have attempted to overcome these limitations using more complex techniques. Guerraoui et al. =-=[7]-=- showed that TM algorithms satisfying certain structural properties can be verifed by model checking small instances of them. To our knowledge, these structural properties have not been formally verif... |

26 |
Towards formally specifying and verifying transactional memory. Formal Aspects of Computing
- Doherty, Groves, et al.
- 2012
(Show Context)
Citation Context ...different conditions are appropriate for different contexts. We have recently studied this problem for TM algorithms intended to support transactional language features in languages such as C and C++ =-=[5]-=-. To avoid fatal errors such as divide-by-zero in this context, transactions—even those that ultimately abort—must observe behavior that is consistent with some execution in which all transactions tha... |

24 |
Verifying correctness of transactional memories
- Cohen, O’Leary, et al.
- 2007
(Show Context)
Citation Context ...tomaton is simpler than the direct proof in NOrec would have been because the abstract automaton is simpler than NOrec. (3) We can use these metatheorems in future proofs.6 Related Work Cohen et al. =-=[1]-=- verified small instances of some simple TM algorithms directly using a model checker. This approach cannot verify larger instances, especially for more complex algorithms, and is limited to finite in... |

14 | PVS strategies for proving abstraction properties of automata
- Mitra, Archer
- 2005
(Show Context)
Citation Context ...meworks exist for specifying and verifying relationships between I/O automata in PVS, analogous to the non-TM-specific foundations of our framework. To our knowledge, the most mature of these is TAME =-=[13]-=-. However TAME is not generally available, so we developed our own framework so that we could make it available for others to use and extend. 7 Concluding Remarks We have built a framework for formall... |

12 | Mechanical verification of transactional memories with non-transactional memory accesses
- Cohen, Pnueli, et al.
- 2008
(Show Context)
Citation Context ...e model checking approaches can be valuable for testing hypotheses and finding bugs, we do not believe that they will be sufficient to fully verify practical TM algorithms any time soon. Cohen et al. =-=[2]-=- used PVS to verify another simple TM algorithm. Like us, they used PVS to model algorithms and specifications, and used the PVS theorem prover to verify that a TM algorithm satisfies the specificatio... |

9 | Parameterized verification of transactional memories
- Emmi, Majumdar, et al.
- 2010
(Show Context)
Citation Context ...king small instances of them. To our knowledge, these structural properties have not been formally verified for any TM algorithm, so this work does not yield fully machine checked proofs. Emmi et al. =-=[6]-=- used techniques to automatically generate and check parameterized invariants. However, limitations of their approach forced them to use abstract models that assume away complex concurrency-related as... |

5 | Putting opacity in its place
- Lesani, Luchangco, et al.
- 2012
(Show Context)
Citation Context ...rmalized in the PVS language [14, 16]. Using this framework, we have achieved the first fully formal machine-checked verification of a practical TM algorithm, the NOrec algorithm [3]. As described in =-=[10]-=-, we have also recently used the framework to clarify relationships between the TMS1, TMS2, and opacity correctness conditions (see Section 2.1). The primarygoal of this paper is to give readers a co... |